Events
An Event is a piece of data discovered by BBOT. Examples include IP_ADDRESS, DNS_NAME, EMAIL_ADDRESS, URL, etc. When you run a BBOT scan, events are constantly being exchanged between modules. They are also output to the console:
[DNS_NAME] www.evilcorp.com sslcert (distance-0, in-scope, resolved, subdomain, a-record)
^^^^^^^^ ^^^^^^^^^^^^^^^^ ^^^^^^^ ^^^^^^^^^^
event type event data source module tags
In addition to the obvious data (e.g. www.evilcorp.com), an event also contains other useful information such as:
- a
.timestampof when the data was discovered - the
.modulethat discovered it - the
.sourceevent that led to its discovery - its
.scope_distance(how many hops it is from the main scope, 0 == in-scope) - a list of
.tagsthat describe the data (mx-record,http-title, etc.)
These attributes allow us to construct a visual graph of events (e.g. in Neo4j) and query/filter/grep them more easily. Here is what a typical event looks like in JSON format:
{
"type": "URL",
"id": "URL:017ec8e5dc158c0fd46f07169f8577fb4b45e89a",
"data": "http://www.blacklanternsecurity.com/",
"web_spider_distance": 0,
"scope_distance": 0,
"scan": "SCAN:4d786912dbc97be199da13074699c318e2067a7f",
"timestamp": 1688526222.723366,
"resolved_hosts": ["185.199.108.153"],
"source": "OPEN_TCP_PORT:cf7e6a937b161217eaed99f0c566eae045d094c7",
"tags": [
"in-scope",
"distance-0",
"dir",
"ip-185-199-108-153",
"status-301",
"http-title-301-moved-permanently"
],
"module": "httpx",
"module_sequence": "httpx"
}
For a more detailed description of BBOT events, see Developer Documentation - Event.
Below is a full list of event types along with which modules produce/consume them.
List of Event Types
| Event Type | # Consuming Modules | # Producing Modules | Consuming Modules | Producing Modules |
|---|---|---|---|---|
| * | 12 | 0 | affiliates, csv, discord, http, human, json, neo4j, python, slack, splunk, teams, websocket | |
| ASN | 0 | 1 | asn | |
| AZURE_TENANT | 1 | 0 | speculate | |
| CODE_REPOSITORY | 2 | 4 | docker_pull, git_clone | dockerhub, github_codesearch, github_org, gitlab |
| DNS_NAME | 57 | 42 | anubisdb, asset_inventory, azure_realm, azure_tenant, baddns, baddns_zone, bevigil, binaryedge, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google, builtwith, c99, censys, certspotter, chaos, columbus, credshed, crobat, crt, dehashed, digitorus, dnscommonsrv, dnsdumpster, emailformat, fullhunt, github_codesearch, hackertarget, hunterio, internetdb, leakix, massdns, myssl, nmap, oauth, otx, passivetotal, pgp, postman, rapiddns, riddler, securitytrails, shodan_dns, sitedossier, skymem, speculate, subdomaincenter, subdomains, sublist3r, threatminer, urlscan, viewdns, virustotal, wayback, zoomeye | anubisdb, azure_tenant, bevigil, binaryedge, builtwith, c99, censys, certspotter, chaos, columbus, crobat, crt, digitorus, dnscommonsrv, dnsdumpster, fullhunt, hackertarget, hunterio, internetdb, leakix, massdns, myssl, ntlm, oauth, otx, passivetotal, rapiddns, riddler, securitytrails, shodan_dns, sitedossier, speculate, sslcert, subdomaincenter, sublist3r, threatminer, urlscan, vhost, viewdns, virustotal, wayback, zoomeye |
| DNS_NAME_UNRESOLVED | 3 | 0 | baddns, speculate, subdomains | |
| EMAIL_ADDRESS | 1 | 6 | emails | credshed, emailformat, hunterio, pgp, skymem, sslcert |
| FILESYSTEM | 1 | 2 | trufflehog | docker_pull, git_clone |
| FINDING | 2 | 28 | asset_inventory, web_report | ajaxpro, baddns, baddns_zone, badsecrets, bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google, bypass403, dastardly, git, gitlab, host_header, hunt, internetdb, newsletters, ntlm, nuclei, paramminer_cookies, paramminer_getparams, paramminer_headers, secretsdb, smuggler, speculate, telerik, trufflehog, url_manipulation |
| GEOLOCATION | 0 | 2 | ip2location, ipstack | |
| HASHED_PASSWORD | 0 | 2 | credshed, dehashed | |
| HTTP_RESPONSE | 19 | 1 | ajaxpro, asset_inventory, badsecrets, dastardly, dotnetnuke, excavate, filedownload, gitlab, host_header, hunt, newsletters, ntlm, paramminer_cookies, paramminer_getparams, paramminer_headers, secretsdb, speculate, telerik, wappalyzer | httpx |
| IP_ADDRESS | 9 | 3 | asn, asset_inventory, internetdb, ip2location, ipneighbor, ipstack, masscan, nmap, speculate | asset_inventory, ipneighbor, speculate |
| IP_RANGE | 3 | 0 | masscan, nmap, speculate | |
| OPEN_TCP_PORT | 4 | 5 | asset_inventory, fingerprintx, httpx, sslcert | asset_inventory, internetdb, masscan, nmap, speculate |
| ORG_STUB | 2 | 1 | dockerhub, github_org | speculate |
| PASSWORD | 0 | 2 | credshed, dehashed | |
| PROTOCOL | 0 | 1 | fingerprintx | |
| SOCIAL | 5 | 3 | dockerhub, github_org, gitlab, gowitness, speculate | dockerhub, gitlab, social |
| STORAGE_BUCKET | 7 | 5 | bucket_amazon, bucket_azure, bucket_digitalocean, bucket_file_enum, bucket_firebase, bucket_google, speculate | bucket_amazon, bucket_azure, bucket_digitalocean, bucket_firebase, bucket_google |
| TECHNOLOGY | 3 | 7 | asset_inventory, gitlab, web_report | badsecrets, dotnetnuke, gitlab, gowitness, internetdb, nuclei, wappalyzer |
| URL | 19 | 2 | ajaxpro, asset_inventory, bypass403, ffuf, generic_ssrf, git, gowitness, httpx, iis_shortnames, ntlm, nuclei, robots, smuggler, speculate, telerik, url_manipulation, vhost, wafw00f, web_report | gowitness, httpx |
| URL_HINT | 1 | 1 | ffuf_shortnames | iis_shortnames |
| URL_UNVERIFIED | 5 | 14 | filedownload, httpx, oauth, social, speculate | azure_realm, bevigil, bucket_file_enum, dockerhub, excavate, ffuf, ffuf_shortnames, github_codesearch, gowitness, hunterio, postman, robots, urlscan, wayback |
| USERNAME | 1 | 2 | speculate | credshed, dehashed |
| VHOST | 1 | 1 | web_report | vhost |
| VULNERABILITY | 2 | 11 | asset_inventory, web_report | ajaxpro, baddns, baddns_zone, badsecrets, dastardly, dotnetnuke, generic_ssrf, internetdb, nuclei, telerik, trufflehog |
| WAF | 1 | 1 | asset_inventory | wafw00f |
| WEBSCREENSHOT | 0 | 1 | gowitness |
Findings Vs. Vulnerabilities
BBOT has a sharp distinction between Findings and Vulnerabilities:
VULNERABILITY
- There's a higher standard for what is allowed to be a vulnerability. They should be considered confirmed and actionable - no additional confirmation required
- They are always assigned a severity. The possible severities are: LOW, MEDIUM, HIGH, or CRITICAL
FINDING
- Findings can range anywhere from "slightly interesting behavior" to "likely, but unconfirmed vulnerability"
- Are often false positives
By making this separation, actionable vulnerabilities can be identified quickly in the midst of a large scan